John Keown wrote:
That is correct but in order to relay through our server the other domain
must pass our test as a closed secure mta and smtp authentication both their
users and the mta.
The only hack is then one of the hacker getting access to the user's email
address and password and spamming that way. But a good mta will restrict the
number of messages per unit time from an individual user and thus make it
impractable to spam.
The MTA should also ensure that the sender domain name being used is allowed
to be used by the authenticated user. These are all fine things to do but how
many MTAs current enforce such rules? I'm not aware of *any* MTA that can
easily do all of these things "out of the box" and if the number of ISPs
actually doing this right now is more than a fraction of one percent, I'd be
amazed. It therefore follows that SPF *on its own* is not a guarantee that the
purported sender authorized the mail.
Paul.